Hey everyone. I have recently started going through the WebGoat web application security CD, and the latest thing to do was find out the name for the authorization header and what the base64 encoded value was being sent between the server and me. Now, having logged in as guest/guest its no surprise when thats what it decodes to, but my question is does that mean if an .htaccess file is used for authentication then all you have to do is sniff the http packets and decoded the authorization header? That seems too easy so thats why I'm asking what step(s) am I missing? The authorization header is sent with every http header, so it's not like you would have to sniff it right as the user logged on.

Thanks for the input, its really appreciated.

basic auth can always be sniffed if you are on the network because the credentials are only base64 encoded (which is not encrypted).
so yes, it is that easy ;)



Edited 1 time(s). Last edit at 02/23/2009 10:25AM by Reiners.

Reiners Wrote:
-------------------------------------------------------
> basic auth can always be sniffed if you are on the
> network because the credentials are only base64
> encoded (which is not encrypted).
> so yes, it is that easy ;)


Wow, thanks so much for the response, thats just funny. So how do you know what type of authentication a site/server is using/requiring?

Locally we use .htaccess files alot, but now I don't feel very safe lol... Take this site for example, what kind of authentication does it use and how do you tell?

Sorry for the probably dumb question, I won't got any further after this.

Thanks for the input though, its really appreciated!

well you can just connect to the server and you will get a HTTP 401 response like:
HTTP 401 Authorization Required
WWW-Authenticate: Basic

Okay, so I lied, I'm going to ask another question. I don't feel guilty since no one has posted in this section of the forums for 2 days now.

Would it make sense to have a passive network sniffer than just sniffed http headers and if an authorization header was found that has "Basic" in it, to base64 decode it and log it, along with site or ip... whatever else was desired?

A quick google search didn't find anything. And I'm sure this isn't a new idea, so the fact that I don't see any must mean this is fairly useless? It does assume you are on the same network as the 'victims', but privilege escalation and getting access to restricted areas seems like a fairly valuable thing.

Anyone care to set me straight?

In a network any sniffing makes sense :)

But not only for Basic (and Digest) authentication, I would also log POST requests to login scripts ;)

---
blog [-] microblog

just run dsniff

-id

You also may want to check out trapper, I still haven't tried it yet but I've heard good things.
I think a new version should be coming out soon too.

http://nediam.com.mx/trapper/index.html

Hey thanks for the info on trapper, i downloaded it and will give it a try tomorrow.

The only thing about dsniff is it performs a MITM attack, and thats cool and all... but that's noisy. A completely passive tool would be cool, unfortunately that kills switched network sniffing, except for wireless I guess.

I want to play with trapper, it looks like it is passive unless you specify it to arp spoof.

It looks like it has a bunch of cool features, I still haven't seen any basic authentication headers being filtered/sniffed for though ;)

Thanks for the input everyone, this is interesting. Found out about a new tool.

By the way, everyone go download sslstrip from thoughcrime.org in case your not caught up on the latest fad.

I still kind of want to make a passive (so I guess I'm limiting myself to wireless) basic authentication header sniffer, just for privilege escalation in certain environments... get access to the areas I'm not supposed to be in lol. But I dunno, seems like it would have very very limited uses... might not be worth it.

rma88 Wrote:

Quote

so it's not like you would have to sniff it right as the user logged on.

No. you have to be there when he/she logs in e.g. sending an authorization request you will capture. There are plenty of ways, if your on a network with WIFI for example, you only have to enable your network card to start sniffing, and log all packets for further analysis. By the way the actual stored password is encrypted with UNIX crypt3 (DES), the request however is indeed a base64 concatenated string which contains: user:pass. Remember though, some of those authorizations take place over SSL as well, so it is not inherently insecure as you might expect. It's insecurity is only based upon the wrong implementation.

No, you don't have to be there when they log in for Basic Auth because every subsequent request will have the header "Authentication Basic <somestring>" where somestring is like a session id - only it will be the same every time that user:pass combination logs in. If you have that, you don't need the actual username or password.